Re: CSRF (Was: XSS evasion) - modperl

This is a discussion on Re: CSRF (Was: XSS evasion) - modperl ; Sorry for the OT ness of this thread---
I spent the better part of the past 2 days trying to do a 1pass
content filtering on xss attacks-- including flash. breaking down
every piece of user input 2x wasn't nice ...

Re: CSRF (Was: XSS evasion)

I spent the better part of the past 2 days trying to do a 1pass
content filtering on xss attacks-- including flash. breaking down
every piece of user input 2x wasn't nice on my server load.

I liked HTML::TagFilter, but it was making broken tags and I couldn't
push the new tag defaults into it.

So thanks to Clinton Gormley for helping me decide on
HTML::StripScripts::Parser -- which does facilitate tag defaults--
albeit in an awkward manner.

Clinton also made a nice skeleton of a wrapper for me to get a
feeling for, saving me a large bit of the learning curve.

In any event, what follows is code that will rewrite user input of
'embed' tags for flash and replace in allowScriptAccess='never' and
allowNetworking='internal' (object tags are not whitelisted for this )

if you let people embed flash onto your site, you will probably want
to read the code below.